Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

uacme: Use UCI to configure firewall instead of iptables

Browse source 
Use UCI to add temporary incoming firewall rule to accept http traffic for
challenge verification.

This should make uacme compatible with OpenWrt's fw3/4 implementation.

Signed-off-by: Antti Seppälä <a.seppala@gmail.com>
This commit is contained in:
Antti Seppälä 2022-11-29 13:41:36 +02:00 committed by Tianling Shen
parent 4c58d6d288
commit dd00cd04c5
1 changed files with 18 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
net/uacme/files/run.sh Normal file → Executable file
View file

@ -37,6 +37,7 @@ NGINX_WEBSERVER=0
UPDATE_NGINX=0 UPDATE_NGINX=0
UPDATE_UHTTPD=0 UPDATE_UHTTPD=0
UPDATE_HAPROXY=0 UPDATE_HAPROXY=0
FW_RULE=
USER_CLEANUP= USER_CLEANUP=
. /lib/functions.sh . /lib/functions.sh
@ -135,24 +136,30 @@ pre_checks()
esac esac
done done
iptables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1 FW_RULE=$(uci add firewall rule) || return 1
debug "v4 input_rule: $(iptables -nvL input_rule)" uci set firewall."$FW_RULE".name='uacme: temporarily allow incoming http'
if [ -e "/usr/sbin/ip6tables" ]; then uci set firewall."$FW_RULE".enabled='1'
ip6tables -I input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" || return 1 uci set firewall."$FW_RULE".target='ACCEPT'
debug "v6 input_rule: $(ip6tables -nvL input_rule)" uci set firewall."$FW_RULE".src='wan'
fi uci set firewall."$FW_RULE".proto='tcp'
uci set firewall."$FW_RULE".dest_port='80'
uci commit firewall
/etc/init.d/firewall reload
debug "added firewall rule: $FW_RULE"
return 0 return 0
} }
post_checks() post_checks()
{ {
log "Running post checks (cleanup)." log "Running post checks (cleanup)."
# The comment ensures we only touch our own rules. If no rules exist, that # $FW_RULE contains the string to identify firewall rule created earlier
# is fine, so hide any errors if [ -n "$FW_RULE" ]; then
iptables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null uci delete firewall."$FW_RULE"
if [ -e "/usr/sbin/ip6tables" ]; then uci commit firewall
ip6tables -D input_rule -p tcp --dport 80 -j ACCEPT -m comment --comment "ACME" 2>/dev/null /etc/init.d/firewall reload
fi fi
if [ -e /etc/init.d/uhttpd ] && [ "$UPDATE_UHTTPD" -eq 1 ]; then if [ -e /etc/init.d/uhttpd ] && [ "$UPDATE_UHTTPD" -eq 1 ]; then
uci commit uhttpd uci commit uhttpd
/etc/init.d/uhttpd reload /etc/init.d/uhttpd reload